de.aristaflow.adept2.base.security

Interface AuthMethod

public interface AuthMethod

This interfaces declares and describes various authentication methods that may be supported by implementations of Authentication and SecurityManager. An implementation may choose not to support an authentication method and throw an AuthenticationException with an appropriate message when called with this authentication method. Usually these authentication methods are used for the local security manager which in turn may provide the result of the local authentication to the global security manager before really authenticating. The local security manager may change the authentication method, for instance, using JAAS locally and sending the corresponding Subject to the global security manager without the authentication data used locally.

There are several method parameters for authentication but not all work with every authentication method and some are optional. This interface explains the possible parameter combinations and their meaning. First there may or may not be a unique identifier of type String, for instance the username. Second there must always be the name of the authentication method (String), usually one that is declared in this interface. Third the authentication data (byte[]) of the authentication method is always present, but for some authentication methods, this may be null. And last a CallbackHandler may be provided that allows the implementation of an authentication method to request additional data since the provided one is insufficient. For instance when no username is provided but one is needed and an appropriate callback handler is required, the username may be requested interactively. Another example for callbacks is the need to change the password since the provided one has expired.
The different combinations of some sort of user ID (String), authentication data (byte[]) and callback handler (AFCallbackHandler) and the meaning of the respective parameter value are explained for each supported authentication method below. Additionally, the known callbacks are described but this may not be complete since the used callbacks may depend on the implementation.

Each authentication method may have specific configuration values that are read from the configuration of the SecurityManager. These are also defined and described here.

Author:

Ulrich Kreher

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	CONF_NET_LOCAL_ADDRESS Configuration key for network-based authentication (NET_IP_ADDRESS and NET_MAC_ADDRESS).
static java.lang.String	CONF_USE_JAAS Configuration key for whether to use JAAS.
static java.lang.String	FORWARD_SUBJECT The authentication data is a Subject but it is not provided to the local JAAS but just forwarded to the global security manager using GlobalAuthMethod.JAAS_SUBJECT on server-side.
static java.lang.String	IMPLICIT_NETWORK The communication provides the network-related data which is interpreted by the global security manager.
static java.lang.String	JAAS A JAAS-based authentication without any further information.
static java.lang.String	JAAS_SUBJECT A JAAS-based authentication with a Subject to provide to the local JAAS.
static java.lang.String	JAAS_UTF8_PASSWORD The usual password based authentication like UTF8_PASSWORD but this time requiring JAAS.
static java.lang.String	NET_IP_ADDRESS The local security manager provides its own configured IP-address (see CONF_NET_LOCAL_ADDRESS), signs it and calls GlobalAuthMethod.TRUSTED_NET_IP_SIGNED at the global security manager.
static java.lang.String	NET_MAC_ADDRESS The local security manager provides its own configured MAC-address (see CONF_NET_LOCAL_ADDRESS), signs it and calls GlobalAuthMethod.TRUSTED_NET_MAC_SIGNED at the global security manager.
static java.lang.String	OAUTH2_TOKEN The user is identified via an OAuth2 token.
static java.lang.String	SERIALISED_CLIENT_SESSION_FACTORY The user is identified via the own client session factory.
static java.lang.String	SHARED_UTF8_KEY The clients provide a shared key (a string provided as UTF-8).
static java.lang.String	UTF8_PASSWORD The usual password based authentication.

Field Detail

UTF8_PASSWORD

static final java.lang.String UTF8_PASSWORD

The usual password based authentication. The password is plain being no hash and not encoded (except UTF-8).
If JAAS is used locally (CONF_USE_JAAS, the String (if present) will be provided to a NameCallback and the password (byte[]) will be provided to a PasswordCallback.
If no JAAS is used locally, the organisational model will be inspected.

Combinations of parameters and their semantic for UTF-8_PASSWORD

String, byte[], null	String	The identifier of the entity, usually the username or a numerical user ID (as String).
	byte[]	The plain password as UTF-8-encoded byte representation of the password string.
String, byte[], AFCallbackHandler	String	The identifier of the entity, usually the username or a numerical user ID (as String).
	byte[]	The plain password as UTF-8-encoded byte representation of the password string.
	AFCallbackHandler	This may use a NameCallback if the username is not found and PasswordCallback if the password is wrong. When using JAAS, there may be additional callbacks depending on the underlying JAAS-LoginModule.
byte[], null	AuthenticationException always. The provided data is insufficient and no data can be requested via a Callback.
byte[], AFCallbackHandler	byte[]	The plain password as UTF-8-encoded byte representation of the password string.
	AFCallbackHandler	This will use a NameCallback for the username and may use PasswordCallback if the password is wrong. When using JAAS, there may be additional callbacks depending on the underlying JAAS-LoginModule.

See Also:

Constant Field Values

JAAS

static final java.lang.String JAAS

A JAAS-based authentication without any further information. This depends on the JAAS-configuration of the local JVM and therefore the usage of a callback handler is strongly encouraged.
This method requires JAAS to be configured (CONF_USE_JAAS).

Combinations of parameters and their semantic for JAAS

String, byte[], null	String	Ignored.
	byte[]	Ignored.
String, byte[], AFCallbackHandler	String	Ignored.
	byte[]	Ignored.
	AFCallbackHandler	This may use a NameCallback if the username is not found and PasswordCallback if the password is wrong. There may be additional callbacks depending on the underlying JAAS-LoginModule.
byte[], null	byte[]	Ignored.
byte[], AFCallbackHandler	byte[]	Ignored.
	AFCallbackHandler	This will use a NameCallback for the username and may use PasswordCallback if the password is wrong. There may be additional callbacks depending on the underlying JAAS-LoginModule.

See Also:

Constant Field Values

JAAS_UTF8_PASSWORD

static final java.lang.String JAAS_UTF8_PASSWORD

The usual password based authentication like UTF8_PASSWORD but this time requiring JAAS. Therefore this method requires JAAS to be configured (CONF_USE_JAAS). The password is plain being no hash and not encoded (except UTF-8).

Combinations of parameters and their semantic for JAAS_UTF8_PASSWORD

String, byte[], null	String	The identifier of the entity, usually the username or a numerical user ID (as String). This will be provided to a NameCallback.
	byte[]	The plain password as UTF-8-encoded byte representation of the password string. This will be provided to a PasswordCallback.
String, byte[], AFCallbackHandler	String	The identifier of the entity, usually the username or a numerical user ID (as String). This will be provided to a NameCallback.
	byte[]	The plain password as UTF-8-encoded byte representation of the password string. This will be provided to a PasswordCallback.
	AFCallbackHandler	The handler to which all callbacks except NameCallback and PasswordCallback will be forwarded to. These callbacks depend on the underlying JAAS-LoginModule.
byte[], null	byte[]	The plain password as UTF-8-encoded byte representation of the password string. This will be provided to a PasswordCallback.
byte[], AFCallbackHandler	byte[]	The plain password as UTF-8-encoded byte representation of the password string.
	AFCallbackHandler	The handler to which all callbacks except PasswordCallback will be forwarded to. These callbacks depend on the underlying JAAS-LoginModule.

JAAS_SUBJECT

static final java.lang.String JAAS_SUBJECT

A JAAS-based authentication with a Subject to provide to the local JAAS.
This method requires JAAS to be configured (CONF_USE_JAAS).

Note that the principals of the subject or rather the corresponding classes need to be found by the global security manager.

Combinations of parameters and their semantic for JAAS_SUBJECT

String, byte[], null	String	Ignored.
	byte[]	A serialised Subject that is provided to the JAAS-LoginContext.
String, byte[], AFCallbackHandler	String	Ignored.
	byte[]	A serialised Subject that is provided to the JAAS-LoginContext.
	AFCallbackHandler	The callbacks depend on the designated subject and the underlying JAAS-LoginModule.
byte[], null	byte[]	A serialised Subject that is provided to the JAAS-LoginContext.
byte[], AFCallbackHandler	byte[]	A serialised Subject that is provided to the JAAS-LoginContext.
	AFCallbackHandler	The callbacks depend on the designated subject and the underlying JAAS-LoginModule.

CONF_USE_JAAS

static final java.lang.String CONF_USE_JAAS

Configuration key for whether to use JAAS. This has to be set for JAAS-based authentication methods (JAAS, JAAS_UTF8_PASSWORD and JAAS_SUBJECT). If this is set UTF8_PASSWORD will be treated like JAAS_UTF8_PASSWORD.

See Also:

Constant Field Values

FORWARD_SUBJECT

static final java.lang.String FORWARD_SUBJECT

The authentication data is a Subject but it is not provided to the local JAAS but just forwarded to the global security manager using GlobalAuthMethod.JAAS_SUBJECT on server-side.

Combinations of parameters and their semantic for FORWARD_SUBJECT

String, byte[], null	String	Just forwarded to the global security manager where it should be ignored.
	byte[]	A serialised Subject that is provided to the global security manager.
String, byte[], AFCallbackHandler	String	Just forwarded to the global security manager where it should be ignored.
	byte[]	A serialised Subject that is provided to the global security manager.
	AFCallbackHandler	The callbacks depend on the designated subject and the JAAS-LoginModule on server-side.
byte[], null	byte[]	A serialised Subject that is provided to the global security manager.
byte[], AFCallbackHandler	byte[]	A serialised Subject that is provided to the global security manager.
	AFCallbackHandler	The callbacks depend on the designated subject and the JAAS-LoginModule on server-side.

See Also:

Constant Field Values

CONF_NET_LOCAL_ADDRESS

static final java.lang.String CONF_NET_LOCAL_ADDRESS

Configuration key for network-based authentication (NET_IP_ADDRESS and NET_MAC_ADDRESS).

The client requesting network-based authentication may have several network interfaces. This configuration provides the name (or the textual representation) as String of the network interface to use.
Obviously one should not use "localhost". ;-)

See Also:

Constant Field Values

NET_IP_ADDRESS

static final java.lang.String NET_IP_ADDRESS

The local security manager provides its own configured IP-address (see CONF_NET_LOCAL_ADDRESS), signs it and calls GlobalAuthMethod.TRUSTED_NET_IP_SIGNED at the global security manager. Untrusted security manager should omit the signature and use GlobalAuthMethod.TRUSTED_NET_IP_UNSIGNED.

Combinations of parameters and their semantic for NET_IP_ADDRESS

String, byte[], null	String	The identifier of the entity, usually the username or a numerical user ID (as String).
	byte[]	Ignored.
String, byte[], AFCallbackHandler	String	The identifier of the entity, usually the username or a numerical user ID (as String).
	byte[]	Ignored.
	AFCallbackHandler	Just forwarded to the global security manager.
byte[], null	AuthenticationException always. The provided data is insufficient and no data can be requested via a Callback.
byte[], AFCallbackHandler	byte[]	Ignored.
	AFCallbackHandler	Just forwarded to the global security manager where it will probably request the name via NameCallback.

See Also:

Constant Field Values

NET_MAC_ADDRESS

static final java.lang.String NET_MAC_ADDRESS

The local security manager provides its own configured MAC-address (see CONF_NET_LOCAL_ADDRESS), signs it and calls GlobalAuthMethod.TRUSTED_NET_MAC_SIGNED at the global security manager.
Note that for determining the MAC-address.

Combinations of parameters and their semantic for NET_MAC_ADDRESS

String, byte[], null	String	The identifier of the entity, usually the username or a numerical user ID (as String).
	byte[]	Ignored.
String, byte[], AFCallbackHandler	String	The identifier of the entity, usually the username or a numerical user ID (as String).
	byte[]	Ignored.
	AFCallbackHandler	Just forwarded to the global security manager.
byte[], null	AuthenticationException always. The provided data is insufficient and no data can be requested via a Callback.
byte[], AFCallbackHandler	byte[]	Ignored.
	AFCallbackHandler	Just forwarded to the global security manager where it will probably request the name via NameCallback.

See Also:

Constant Field Values

IMPLICIT_NETWORK

static final java.lang.String IMPLICIT_NETWORK

The communication provides the network-related data which is interpreted by the global security manager. The local security manager just forwards the call, however, no parameters are needed, a callback handler may be useful.

Combinations of parameters and their semantic for IMPLICIT_NETWORK

String, byte[], null	String	The identifier of the entity, usually the username or a numerical user ID (as String).
	byte[]	Just forwarded to the global security manager where it should be ignored.
String, byte[], AFCallbackHandler	String	The identifier of the entity, usually the username or a numerical user ID (as String).
	byte[]	Just forwarded to the global security manager where it should be ignored.
	AFCallbackHandler	Just forwarded to the global security manager.
byte[], null	AuthenticationException always. The provided data is insufficient and no data can be requested via a Callback.
byte[], AFCallbackHandler	byte[]	Just forwarded to the global security manager where it should be ignored.
	AFCallbackHandler	Just forwarded to the global security manager where it will probably request the name via NameCallback.

See Also:

Constant Field Values

SHARED_UTF8_KEY

static final java.lang.String SHARED_UTF8_KEY

The clients provide a shared key (a string provided as UTF-8). If the server has this key in a list of accepted keys, the authentication will be accepted. The local security manager just forwards the call.

Combinations of parameters and their semantic for SHARED_UTF8_KEY

String, byte[], null	String	The identifier of the entity, usually the username or a numerical user ID (as String).
	byte[]	The plain shared key as UTF-8-encoded byte representation of the corresponding string.
String, byte[], AFCallbackHandler	String	The identifier of the entity, usually the username or a numerical user ID (as String).
	byte[]	The plain shared key as UTF-8-encoded byte representation of the corresponding string.
	AFCallbackHandler	This may use a NameCallback if the username is not found.
byte[], null	AuthenticationException always. The provided data is insufficient and no data can be requested via a Callback.
byte[], AFCallbackHandler	byte[]	The plain shared key as UTF-8-encoded byte representation of the corresponding string.
	AFCallbackHandler	This will use a NameCallback for the username.

See Also:

Constant Field Values

OAUTH2_TOKEN

static final java.lang.String OAUTH2_TOKEN

The user is identified via an OAuth2 token. If the configured OOauth server accepts the token for the designated user name, the authentication will be accepted. The local security manager just forwards the call.

Combinations of parameters and their semantic for OAUTH2_TOKEN

String, byte[], null	String	The identifier of the entity, usually the username or a numerical user ID (as String).
	byte[]	The UTF-8-encoded byte representation of the OAuth2 token.
String, byte[], AFCallbackHandler	String	The identifier of the entity, usually the username or a numerical user ID (as String).
	byte[]	The UTF-8-encoded byte representation of the OAuth2 token.
	AFCallbackHandler	This may use a NameCallback if the username is not found.
byte[], null	AuthenticationException always. The provided data is insufficient and no data can be requested via a Callback.
byte[], AFCallbackHandler	byte[]	The UTF-8-encoded byte representation of the OAuth2 token.
	AFCallbackHandler	This will use a NameCallback for the username.

See Also:

Constant Field Values

SERIALISED_CLIENT_SESSION_FACTORY

static final java.lang.String SERIALISED_CLIENT_SESSION_FACTORY

The user is identified via the own client session factory. This is simply serialised to a byte array. If the designated client session factory is valid, authentication will succeed and a new client session factory will be returned. This will not change the user session ID, the app name will be ignored.

Combinations of parameters and their semantic for SERIALISED_CLIENT_SESSION_FACTORY

String, byte[], null	String	Just forwarded to the global security manager where it should be ignored.
	byte[]	The old client session factory serialised to a byte array.
String, byte[], AFCallbackHandler	String	Just forwarded to the global security manager where it should be ignored.
	byte[]	The old client session factory serialised to a byte array.
	AFCallbackHandler	Ignored.
byte[], null	byte[]	The old client session factory serialised to a byte array.
byte[], AFCallbackHandler	byte[]	The old client session factory serialised to a byte array.
	AFCallbackHandler	Ignored.

See Also:

Constant Field Values